Display access notification
Summary
The system must notify, upon any access attempt, that access to the system is only available for authorized users.
Description
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them. Whenever a non-authenticated actor attempts to access those resources, the system must notify them that the resources are only available to authorized users.
References
- OWASP10-A7. Identification and authentication failures
- CERTJ-OBJ10-J. Do not use public static nonfinal fields
- NYSHIELD-5575_B_4. Personal and private information
- MITRE-M1036. Account use policies
- SANS25-13. Improper authentication
- CMMC-AC_L1-3_1_1. Authorized access control
- CMMC-AC_L2-3_1_8. Unsuccessful logon attempts
- CMMC-AC_L2-3_1_9. Privacy & security notices
- FEDRAMP-AC-8. System use notification
- FEDRAMP-SI-5. Security alerts, advisories, and directives
- LGPD-19_II-1. Data Subjects Rights
- IEC62443-IAC-1_11. Unsuccessful login attempts
- IEC62443-IAC-1_12. System use notification
- WASC-W_01. Insufficient authentication
- ISSAF-H_14_7. Network security - Intrusion detection (detection engine)
- OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- CWE25-287. Improper authentication
Weaknesses
- 006. Authentication mechanism absence or evasion
- 095. Data uniqueness not properly verified
- 099. Non-encrypted confidential information - S3 Server Side Encryption
- 240. Authentication mechanism absence or evasion - OTP
- 241. Authentication mechanism absence or evasion - AWS
- 242. Authentication mechanism absence or evasion - WiFi
- 243. Authentication mechanism absence or evasion - Admin Console
- 244. Authentication mechanism absence or evasion - BIOS
- 298. Authentication mechanism absence or evasion - Redirect
- 299. Authentication mechanism absence or evasion - JFROG
- 300. Authentication mechanism absence or evasion - Azure
- 365. Authentication mechanism absence or evasion - Response tampering
- 370. Authentication mechanism absence or evasion - Security Image
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan